Data Storage Architecture & Security

Overview

RequestRocket implements a distributed data storage architecture with clear separation between control plane and data plane operations, ensuring security, scalability, and regulatory compliance.

Control Plane vs Data Plane Architecture

Control Plane

The control plane manages system configuration and aggregated analytics. It operates in the primary management region (ap-southeast-2) and stores:

• Aggregated Statistics: Performance metrics, usage analytics, and system health data
• Metadata: Configuration templates, system-wide settings, and deployment information
• Client Management: High-level client information and relationship data
• User Management: Authentication, authorization, and user profile data

Key Characteristics:

• Centralized management in primary region
• Only stores aggregated and metadata information
• No sensitive operational data (credentials, actual request content)
• Focuses on system administration and analytics

Data Plane

The data plane handles all operational data and request processing. It operates regionally and stores:

• Credentials: All authentication credentials (encrypted)
• Proxies: Proxy configurations and settings
• Targets: Target API endpoint configurations
• Rules: Request processing and transformation rules
• Request Records: Detailed logs of all API transactions
• Runtime Data: Cache, temporary tokens, and operational state

Key Characteristics:

• Regional deployment for data sovereignty
• Contains all sensitive operational data
• Processes actual API requests and responses
• Implements regional data isolation

Data Storage by Type

Regional Data Storage (Data Plane Only)

All operational data is stored exclusively in the region where it is configured:

1. Credentials Storage

• Location: Regional DynamoDB tables in the configured region
• Tables:
  • Credentials (metadata in app service)
  • proxyCredentials and targetCredentials (encrypted data in global service)
• Security: AES-256-GCM encryption before storage
• Access: Cannot be retrieved via API - only used for target API calls

2. Proxies Storage

• Location: Regional DynamoDB in the configured region
• Tables: Proxies table
• Content: Proxy configurations, endpoints, and routing rules

3. Targets Storage

• Location: Regional DynamoDB in the configured region
• Tables: Targets table
• Content: Target API endpoint configurations and settings

4. Rules Storage

• Location: Regional DynamoDB in the configured region
• Tables: Rules table
• Content: Authorization, transformation, validation, and processing rules

5. Request Records & Logs

• Location: Regional DynamoDB in the configured region
• Tables: requests table in global service
• Content: Complete request/response logs, timing data, validation results
• Retention: 90-day TTL (configurable)

Cross-Service Data Distribution

App Service (RequestRocket-app)

Primary Tables:

• Clients - Client metadata and configuration
• Users - User accounts and permissions
• Credentials - Credential metadata (encrypted secrets stored regionally)
• Targets, Proxies, Rules - Reference data pointing to regional storage
• Telemetry - Aggregated performance metrics
• Transactions - Transaction metadata and billing data
• Notifications - System, user, and client notifications

Global Service (RequestRocket-global)

Regional Tables:

• proxyCredentials - Encrypted proxy authentication data
• targetCredentials - Encrypted target API credentials
• proxies - Proxy runtime configurations
• targets - Target API endpoint configurations
• Rules - Request processing rules
• requests - Complete request/response logs and metrics
• cache - Temporary data and tokens
• authCodes - OAuth2 authorization codes

Transactions Service (RequestRocket-transactions)

Regional Tables:

• Transactions - Detailed transaction records and audit logs

Security Implementation

AES-256-GCM Encryption

All credential data is protected using military-grade encryption:

// Encryption Algorithm: AES-256-GCM
const ALGORITHM = "aes-256-gcm";
const IV_LENGTH = 16; // 128-bit initialization vector
const AUTH_TAG_LENGTH = 16; // 128-bit authentication tag

// Format: base64(iv):base64(authTag):base64(encryptedData)

Security Features:

• 256-bit encryption key stored in AWS Secrets Manager
• Base64 encoding for safe storage and transmission
• Authenticated encryption with Galois/Counter Mode (GCM)
• Unique IV per encryption operation

Credential Protection

Encryption Scope:

• All credential secrets (passwords, API keys, OAuth tokens)
• Stored encrypted in regional DynamoDB tables
• Decryption only occurs during target API calls
• Never transmitted or logged in plaintext

Access Restrictions:

• Credentials cannot be retrieved via API calls
• No plaintext exposure in logs or debug output
• Automatic encryption during storage operations
• Secure deletion when credentials are removed

Regional Data Isolation

Data Sovereignty:

• All operational data remains in the configured region
• No cross-region data replication for sensitive information
• Regional compliance with data protection regulations
• Independent regional deployments

Network Security:

• Encrypted communications between services (TLS 1.2+)
• IAM-based access controls
• VPC isolation where applicable
• Audit logging for all data access

Data Retention & Lifecycle

Request Records

• Retention: 90 days (configurable TTL)
• Purpose: Debugging, analytics, audit trails
• Cleanup: Automatic DynamoDB TTL-based deletion

Credentials

• Retention: Until explicitly deleted by user
• Lifecycle: Active until revoked or expired
• Cleanup: Cascade deletion of associated rules and proxies

Logs & Telemetry

• Aggregation: Statistical summaries retained longer than raw data
• Compliance: Customized to meet audit and regulatory requirements

Compliance & Governance

Data Protection

• Encryption at rest for all sensitive data
• Encryption in transit for all communications (TLS 1.2+)
• Regional data residency compliance
• Access logging and audit trails

Privacy Controls

• Minimal data collection - only operational necessities
• Data anonymization for analytics where possible
• User consent for data processing
• Right to deletion support

Audit & Monitoring

• Complete audit trails for all data access
• Real-time monitoring of encryption operations
• Compliance reporting capabilities
• Security incident detection and alerting

Regional Deployment

RequestRocket supports deployment in multiple AWS regions:

• US East (N. Virginia) - us-east-1
• US West (Oregon) - us-west-2
• EU West (Ireland) - eu-west-1
• Asia Pacific (Sydney) - ap-southeast-2

Security Incident Response

If you suspect a security incident:

1. Immediate Action: Disable affected proxies or credentials
2. Contact Support: Notify RequestRocket support immediately
3. Investigation: Work with support to investigate the incident
4. Remediation: Follow recommended remediation steps
5. Review: Update security policies and procedures

Next Steps